AWS cognito documentation change
Summary
Updated terminology (e.g., 'SP' to 'relying party'), clarified feature availability restrictions for federated users, expanded token customization details, and enhanced role-based access control documentation.
Security assessment
The changes improve documentation clarity around security features like token customization (now including access tokens), role trust policy configuration, and AWS WAF integration. However, there's no evidence these changes address specific vulnerabilities or security incidents.
Diff
diff --git a/cognito/latest/developerguide/what-is-amazon-cognito.md b/cognito/latest/developerguide/what-is-amazon-cognito.md index b80ad3270..a176b5003 100644 --- a//cognito/latest/developerguide/what-is-amazon-cognito.md +++ b//cognito/latest/developerguide/what-is-amazon-cognito.md @@ -111 +111 @@ Feature | Description -OIDC IdP | Issue ID tokens to authenticate users +OIDC identity provider | Issue ID tokens to authenticate users @@ -113,3 +113,3 @@ Authorization server | Issue access tokens to authorize user access to APIs -SAML 2.0 SP | Transform SAML assertions into ID and access tokens -OIDC SP | Transform OIDC tokens into ID and access tokens -OAuth 2.0 SP | Transform ID tokens from Apple, Facebook, Amazon, or Google to your own ID and access tokens +SAML 2.0 service provider | Transform SAML assertions into ID and access tokens +OIDC relying party | Transform OIDC tokens into ID and access tokens +Social provider relying party | Transform ID tokens from Apple, Facebook, Amazon, or Google to your own ID and access tokens @@ -117,2 +117,2 @@ Authentication frontend service | Sign up, manage, and authenticate users with m -API support for your own UI | Create, manage and authenticate users through API requests in supported AWS SDKs¹ -MFA | Use SMS messages, TOTPs, or your user's device as an additional authentication factor¹ +API support for your own UI | Create, manage and authenticate users through authentication API requests in supported AWS SDKs¹ +Multi-factor authentication | Use SMS messages, TOTPs, or your user's device as an additional authentication factor¹ @@ -120 +120 @@ Security monitoring & response | Secure against malicious activity and insecure -Customize authentication flows | Build your own authentication mechanism, or add custom steps to existing flows¹ +Customize authentication flows | Build your own authentication mechanism, or add custom steps to existing flows² @@ -122 +122 @@ Groups | Create logical groupings of users, and a hierarchy of IAM role claims w -Customize ID tokens | Customize your ID tokens with new, modified, and suppressed claims +Customize tokens | Customize your ID and access tokens with new, modified, and suppressed claims @@ -125 +125,3 @@ Customize user attributes | Assign values to user attributes and add your own cu -¹ Feature is only available to local users. +¹ Feature is unavailable to federated users. + +² Feature is unavailable to federated and managed login users. @@ -133 +135 @@ An identity pool is a collection of unique identifiers, or identities, that you -To complement authenticated identities, you can also configure an identity pool to authorize AWS access without IdP authentication. You can offer your own custom proof of authentication, or no authentication. You can grant temporary AWS credentials to any app user who requests them, with [unauthenticated identities](https://docs.aws.amazon.com/cognito/latest/developerguide/identity-pools.html#enable-or-disable-unauthenticated-identities). Identity pools also accept claims and issue credentials based on your own custom schema, with [developer-authenticated identities](https://docs.aws.amazon.com/cognito/latest/developerguide/developer-authenticated-identities.html). +To complement authenticated identities, you can also configure an identity pool to authorize AWS access without IdP authentication. You can offer custom proof of authentication with [Developer-authenticated identities](./developer-authenticated-identities.html). You can also grant temporary AWS credentials to guest users, with [unauthenticated identities](./identity-pools.html#authenticated-and-unauthenticated-identities). @@ -135 +137 @@ To complement authenticated identities, you can also configure an identity pool -With Amazon Cognito identity pools, you have two ways to integrate with IAM policies in your AWS account. You can use these two features together or individually. +With identity pools, you have two ways to integrate with IAM policies in your AWS account. You can use these two features together or individually. @@ -149,5 +151,5 @@ Feature | Description -Amazon Cognito user pool SP | Exchange an ID token from your user pool for web identity credentials from AWS STS -SAML 2.0 SP | Exchange SAML assertions for web identity credentials from AWS STS -OIDC SP | Exchange OIDC tokens for web identity credentials from AWS STS -OAuth 2.0 SP | Exchange OAuth tokens from Amazon, Facebook, Google, Apple, and Twitter for web identity credentials from AWS STS -Custom SP | With AWS credentials, exchange claims in any format for web identity credentials from AWS STS +Amazon Cognito user pool relying party | Exchange an ID token from your user pool for web identity credentials from AWS STS +SAML 2.0 service provider | Exchange SAML assertions for web identity credentials from AWS STS +OIDC relying party | Exchange OIDC tokens for web identity credentials from AWS STS +Social provider relying party | Exchange OAuth tokens from Amazon, Facebook, Google, Apple, and Twitter for web identity credentials from AWS STS +Custom relying party | With AWS credentials, exchange claims in any format for web identity credentials from AWS STS @@ -164,11 +166,12 @@ Feature | Description | User pools | Identity pools -OIDC IdP | Issue OIDC ID tokens to authenticate app users | ✓ | -API authorization server | Issue access tokens to authorize user access to APIs, databases, and other resources that accept OAuth 2.0 authorization scopes | ✓ | -IAM web identity authorization server | Generate tokens that you can exchange with AWS STS for temporary AWS credentials | | ✓ -SAML 2.0 SP & OIDC IdP | Issue customized OIDC tokens based on claims from a SAML 2.0 IdP | ✓ | -OIDC SP & OIDC IdP | Issue customized OIDC tokens based on claims from an OIDC IdP | ✓ | -OAuth 2.0 SP & OIDC IdP | Issue customized OIDC tokens based on scopes from OAuth 2.0 social providers like Apple and Google | ✓ | -SAML 2.0 SP & credentials broker | Issue temporary AWS credentials based on claims from a SAML 2.0 IdP | | ✓ -OIDC SP & credentials broker | Issue temporary AWS credentials based on claims from an OIDC IdP | | ✓ -OAuth 2.0 SP & credentials broker | Issue temporary AWS credentials based on scopes from OAuth 2.0 social providers like Apple and Google | | ✓ -Amazon Cognito user pool SP & credentials broker | Issue temporary AWS credentials based on OIDC claims from an Amazon Cognito user pool | | ✓ -Custom SP & credentials broker | Issue temporary AWS credentials based on developer IAM authorization | | ✓ +OIDC identity provider | Issue OIDC ID tokens to authenticate app users | ✓ | +User directory | Store user profiles for authentication | ✓ | +Authorize API access | Issue access tokens to authorize user access to APIs (including user profile self-service API operations), databases, and other resources that accept OAuth scopes | ✓ | +IAM web identity authorization | Generate tokens that you can exchange with AWS STS for temporary AWS credentials | | ✓ +SAML 2.0 service provider & OIDC identity provider | Issue customized OIDC tokens based on claims from a SAML 2.0 identity provider | ✓ | +OIDC relying party & OIDC identity provider | Issue customized OIDC tokens based on claims from an OIDC identity provider | ✓ | +OAuth 2.0 relying party & OIDC identity provider | Issue customized OIDC tokens based on scopes from OAuth 2.0 social providers like Apple and Google | ✓ | +SAML 2.0 service provider & credentials broker | Issue temporary AWS credentials based on claims from a SAML 2.0 identity provider | | ✓ +OIDC relying party & credentials broker | Issue temporary AWS credentials based on claims from an OIDC identity provider | | ✓ +Social provider relying party & credentials broker | Issue temporary AWS credentials based on JSON web tokens from developer applications with social providers like Apple and Google | | ✓ +Amazon Cognito user pool relying party & credentials broker | Issue temporary AWS credentials based on JSON web tokens from Amazon Cognito user pools | | ✓ +Custom relying party & credentials broker | Issue temporary AWS credentials to arbitrary identities, authorized by developer IAM credentials | | ✓ @@ -180,3 +183,3 @@ Customize authentication flows | Build your own authentication mechanism, or add -Groups | Create logical groupings of users, and a hierarchy of IAM role claims when you pass tokens to identity pools | ✓ | -Customize ID tokens | Customize your ID tokens with new, modified, and suppressed claims | ✓ | -AWS WAF web ACLs | Monitor and control requests to your authentication environment with AWS WAF | ✓ | +User groups | Create logical groupings of users, and a hierarchy of IAM role claims when you pass tokens to identity pools | ✓ | +Customize tokens | Customize your ID and access tokens with new, modified, and suppressed claims and scopes | ✓ | +AWS WAF web ACLs | Monitor and control requests to your authentication front end with AWS WAF | ✓ | @@ -185 +188 @@ Unauthenticated access | Issue limited-access web identity credentials from AWS -Role-based access control | Choose an IAM role for your authenticated user based on their claims, and configure your roles to only be assumed in the context of your identity pool | | ✓ +Role-based access control | Choose an IAM role for your authenticated user based on their claims, and configure your role trust to limit access to web identity users | | ✓ @@ -188 +191 @@ Attribute-based access control | Transform user claims into principal tags for y -¹ Feature is only available to local users. +¹ Feature is not available to federated users. @@ -198 +201 @@ For links to guided setup experiences with user pools and identity pools, see [G -For videos, articles, documentation, and more sample applications, see [Amazon Cognito developer resources](https://aws.amazon.com/cognito/dev-resources/). +To get started with an AWS SDK, see [AWS Developer Tools](https://aws.amazon.com/products/developer-tools). For developer resources specific to Amazon Cognito, see [Amazon Cognito developer resources](https://aws.amazon.com/cognito/dev-resources/).